Oracle Linux 3 / 4 : cups (ELSA-2008-0206)

Critical Nessus Plugin ID 67674

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

From Red Hat Security Advisory 2008:0206 :

Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems.

Two overflows were discovered in the HP-GL/2-to-PostScript filter. An attacker could create a malicious HP-GL/2 file that could possibly execute arbitrary code as the 'lp' user if the file is printed.
(CVE-2008-0053)

A buffer overflow flaw was discovered in the GIF decoding routines used by CUPS image converting filters 'imagetops' and 'imagetoraster'.
An attacker could create a malicious GIF file that could possibly execute arbitrary code as the 'lp' user if the file was printed.
(CVE-2008-1373)

It was discovered that the patch used to address CVE-2004-0888 in CUPS packages in Red Hat Enterprise Linux 3 and 4 did not completely resolve the integer overflow in the 'pdftops' filter on 64-bit platforms. An attacker could create a malicious PDF file that could possibly execute arbitrary code as the 'lp' user if the file was printed. (CVE-2008-1374)

All cups users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

Solution

Update the affected cups packages.

See Also

https://oss.oracle.com/pipermail/el-errata/2008-April/000555.html

https://oss.oracle.com/pipermail/el-errata/2008-April/000557.html

Plugin Details

Severity: Critical

ID: 67674

File Name: oraclelinux_ELSA-2008-0206.nasl

Version: 1.8

Type: local

Agent: unix

Published: 2013/07/12

Updated: 2019/09/30

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:cups, p-cpe:/a:oracle:linux:cups-devel, p-cpe:/a:oracle:linux:cups-libs, cpe:/o:oracle:linux:3, cpe:/o:oracle:linux:4

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2008/04/01

Vulnerability Publication Date: 2005/01/27

Reference Information

CVE: CVE-2004-0888, CVE-2005-0206, CVE-2008-0053, CVE-2008-1373, CVE-2008-1374

BID: 28307, 28334, 28544

RHSA: 2008:0206

CWE: 119, 189